guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix(ci): replace DinD with plain TCP proxy and simplify Docker discovery

Browse Source 
The DinD service approach was crashing the job (exit 2) because the
Forgejo runner on this host does not honour the `options: --privileged`
field for service containers, so dockerd inside DinD could never start.

Root cause of the broader CI failure: dagger-stunnel.service stopped
cleanly (exit 0 → no auto-restart), leaving port 8774 without a
listener. A plain socat TCP proxy (8774→1774) is now running on the
host as a stop-gap until stunnel is restarted.

Changes:
- Remove the docker:27-dind service container from ci.yml entirely
- Simplify "Locate Docker daemon" step — warn instead of failing when
  Docker is unavailable (job fails later at the Dagger step with a
  clearer message)
- Add plain-TCP path to setup_dagger_remote.sh: after a successful nc
  probe, try `dagger version` directly over the target host:port before
  falling back to the TLS stunnel setup; this works with both the socat
  plain-TCP proxy and any future plain-TCP Dagger engine exposure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Thomas SharedInbox
2026-05-24 02:57:08 +02:00
co-authored by Claude Sonnet 4.6
parent 5abcf55aa7
commit 931186dc45
2 changed files with 26 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.forgejo/workflows/ci.yml
+6 -59
View File
@@ -11,16 +11,6 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 60
services:
docker:
image: docker:27-dind
env:
DOCKER_TLS_CERTDIR: ""
# Pass --env directly to docker run to override the image-level default
# (DOCKER_TLS_CERTDIR=/certs) regardless of whether the env: field above
# is honoured by the act runner version on this host.
options: --privileged --env DOCKER_TLS_CERTDIR=
steps:
- uses: actions/checkout@v4
with:
@@ -42,13 +32,13 @@ jobs:
- name: Locate Docker daemon for local Dagger engine
run: |
# Skip if remote Dagger engine is already configured
# Skip if remote Dagger engine is already configured (preferred path)
if [ -n "${_DAGGER_RUNNER_HOST:-}" ]; then
echo "Remote Dagger engine configured, no local Docker needed."
exit 0
fi
# 1. Host Docker socket (DooD) — available when runner mounts /var/run/docker.sock
# Try host Docker socket (DooD) if runner mounts it
if [ -S /var/run/docker.sock ]; then
if DOCKER_HOST=unix:///var/run/docker.sock docker info >/dev/null 2>&1; then
echo "Docker available via host socket."
@@ -57,53 +47,10 @@ jobs:
fi
fi
# 2. DinD service hostname — retry up to 60 s to allow the inner daemon to start
for attempt in $(seq 1 6); do
if DOCKER_HOST=tcp://docker:2375 docker info >/dev/null 2>&1; then
echo "Docker available at tcp://docker:2375"
echo "DOCKER_HOST=tcp://docker:2375" >> "$GITHUB_ENV"
exit 0
fi
echo "DinD not ready (attempt $attempt/6), waiting 10 s..." >&2
sleep 10
done
# 3. DNS-based discovery: resolve 'docker' and probe it directly
DOCKER_IP=$(getent hosts docker 2>/dev/null | awk '{print $1; exit}')
if [ -n "$DOCKER_IP" ]; then
echo "docker resolves to $DOCKER_IP" >&2
if (timeout 2 bash -c "echo >/dev/tcp/${DOCKER_IP}/2375" 2>/dev/null); then
echo "Found Docker daemon at $DOCKER_IP:2375"
echo "DOCKER_HOST=tcp://$DOCKER_IP:2375" >> "$GITHUB_ENV"
exit 0
fi
if (timeout 2 bash -c "echo >/dev/tcp/${DOCKER_IP}/2376" 2>/dev/null); then
echo "ERROR: Docker at $DOCKER_IP answers on 2376 (TLS) but not 2375. TLS was not disabled." >&2
fi
fi
# 4. Scan all local /24 subnets for any host on port 2375
echo "Scanning network for DinD on port 2375..." >&2
for MY_IP in $(hostname -I); do
case "$MY_IP" in 127.*) continue ;; esac
PREFIX=$(echo "$MY_IP" | cut -d. -f1-3)
for i in $(seq 1 254); do
ip="${PREFIX}.${i}"
if (timeout 0.2 bash -c "echo >/dev/tcp/${ip}/2375" 2>/dev/null); then
echo "Found Docker daemon at $ip:2375"
echo "DOCKER_HOST=tcp://$ip:2375" >> "$GITHUB_ENV"
exit 0
fi
done
done
# Diagnostics before giving up
echo "=== Docker discovery diagnostics ===" >&2
echo "hostname -I: $(hostname -I)" >&2
echo "docker DNS: $(getent hosts docker 2>/dev/null || echo 'not resolved')" >&2
echo "docker.sock: $(ls -la /var/run/docker.sock 2>/dev/null || echo 'not present')" >&2
echo "ERROR: Could not locate Docker daemon" >&2
exit 1
echo "WARNING: No remote Dagger engine and no local Docker found." >&2
echo " - Remote engine: check DAGGER_STUNNEL_URL secret and that the host proxy is running." >&2
echo " - Local Docker: runner does not expose /var/run/docker.sock." >&2
echo "CI will likely fail at the Dagger step." >&2
- name: Prune Dagger cache before check
env:
scripts/setup_dagger_remote.sh
+20 -2
View File
@@ -19,7 +19,7 @@ PROBE_DELAY=30
for attempt in $(seq 1 $MAX_PROBE_ATTEMPTS); do
echo "Probing $host:$port (attempt $attempt/$MAX_PROBE_ATTEMPTS)..."
if nc -zw 5 "$host" "$port" 2>/dev/null; then
echo "Found active Dagger server on $host:$port"
echo "Found active server on $host:$port"
break
fi
if [ "$attempt" -eq "$MAX_PROBE_ATTEMPTS" ]; then
@@ -31,7 +31,25 @@ for attempt in $(seq 1 $MAX_PROBE_ATTEMPTS); do
sleep $PROBE_DELAY
done
# 2. Setup TLS credentials (passed as env vars from secrets)
# 2a. Try plain TCP connection first (works when server is a plain TCP proxy, no TLS)
echo "Trying plain TCP Dagger connection at tcp://$host:$port..."
if _DAGGER_RUNNER_HOST="tcp://$host:$port" \
_EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port" \
timeout 8 dagger version >/dev/null 2>&1; then
echo "Plain TCP Dagger connection succeeded — no TLS stunnel needed."
if [ -n "${GITHUB_ENV:-}" ]; then
echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
echo "_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
else
export _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port"
export _DAGGER_RUNNER_HOST="tcp://$host:$port"
echo "Dagger configured at tcp://$host:$port (plain TCP)"
fi
exit 0
fi
echo "Plain TCP connection not available; trying TLS stunnel..."
# 2b. Setup TLS credentials (passed as env vars from secrets)
mkdir -p /tmp/dagger-tls
echo "$DAGGER_CA_CERT" > /tmp/dagger-tls/ca.crt
echo "$DAGGER_CLIENT_CERT" > /tmp/dagger-tls/client.crt